Cisco NAC Web Agent error.
Anyone encounter this error on the Cisco NAC Web Agent before (see table)? I am setting up Cisco NAC Aplliance in Out-Of-Band gateway mode virtual for the deployment of Unified Wireless using the WLC. Grateful if someone can help to inform of what could be the cause of the error. Thanks in advance.
This means that the CAM has not received a SNMP trap for this MAC address. Check that the WLC is configured to send traps to the CAM: http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/47/cam/m_woob.html#wp1290626
You can see if the cam with got a trap for a specific MAC looking under OOB management > devices > discovered customers.
Tags: Cisco Security
Similar Questions
-
Agent of the NAC this SSL error
Running
CAM: 4.5.0 lite
Current Windows clean access Agent Version: 4.5.0.0
Current Windows clean access Agent Patch Version: 4.5.0.0
Agent Macintosh's own access current version: 4.5.0.0
Course Cisco NAC Web Agent Version: 4.5.0
(Clean access windows agent installed on the host (Vista Business) is version 4.5.1.0)
CAS mode: L2 virtual OOB GW
The installation program is in conditions of laboratory for a proof of concept.
The following scenario occurs each time a new authentication is attempted from a vista host running the agent access.
-------------
I plug the host on the controlled NAC switch port
I get an ip address although my pool of vlan and dhcp auth
Agent of Cisco clean access is displayed on the screen according to the normal
I enter my user and pass and click login
I get a "security alert" pop up indicating "the revocation information of the certificate for this site is not available. Do you want to continue? »
There are 3 buttons to choose: Yes, no, display certificates
I click Yes, but the error message does not disappear,... no matter how many times you click on Yes,... the error remains on the screen, keep you from making the connection.
If I click on no.
The clean access agent then says "network error!, detail: Certificate SSL REV failed [12057]."
My only option is to click on the "Close" button so I don't
This closes the agent clean access, but the agent instantly appears buck on my screen asking again user them and pass.
I enter the right user and pass and click login
I receive a new security alert pop up stating "this page requires a secure connection which includes server authentication." "The issuer of certificate for this site is unknown or unreliable, making you go?
My click Options, Yes, no, view the certificate or more information
I click on Yes, the security alert disappears and own access now States that I managed to connect to the network.
It refreshes my IP address and puts me in the vlan correct based on the role of my user name.
-------------
I checked the event logs, all my access attempts are accepted, (on the 2nd try of course), but there is no errors in the cam on this SSL problem.
However, I get a warning red text on the summary page of the cam, which stipulates the following, which I do not know if it has any impact on my problem.
"WARNING: the end-entity certificate issued by"www.perfigo.com"is suitable for laboratory environments only." You must import a certificate of third party entity end for your own Access Manager and own access servers before the Cisco NAC Appliance deployment in a production environment. Please check your own access servers and ensures Clean Access Manager for similar messages.
WARNING: The current "www.perfigo.com" trusted certification authority is suitable for laboratory environments only. Cisco recommends to import a third-party certification authority. Please check your own access servers and ensures Clean Access Manager for similar messages. »
My questions are,
-Why used the CAA accepts the first authentication attempt?
-How can I remove the first security alert?
-How can I set the CCA so that I login just once without having to click on no and wait for CAA to appear a 2nd time?
Thank you all
The fundamental problem is that the customer is unable to check the root certificate for your CASE.
I guess that since you have always the perfigo warning that you have not installed a certificate valid on the job. If you did, you must remove the certificate of perfigo. If you install a valid certificate, you must remove the Perfigo cert.
Once you have a valid cert installed, make sure that the client can access the certificate server root of the AUTH VLAN. That should get rid of these two messages.
If you cannot provide access to the certificate server, then you cannot get rid of the second message, but you can get rid of the first message (the one that sticks you in a loop).
This message (the first one) is due because the check certificate revocation in Internet Explorer has been enabled. This option has been disabled by default in XP, but is enabled by default in Vista. The option is disabled in Internet Options > Advanced tab > check the CRL.
-
Web NAC NAC Appliance Agent Vs agent
Hello
What is the difference between 'NAC Appliance Agent' and "NAC Web Agent"?
I my case I do not get the pop up 'NAC Appliance Agent' screen, although I am able to correctly connect through "NAC Web Agent.
I would like to know if the connection via "Agent of NAC Appliance" is mandatory.PFA, the 'CiscoSupportReport.zip' for 'Agent NAC Appliance'.
Thank you
SagarIt is not mandatory to use the agent unless you specify in the policy for the role of user assigned to your username.
The web agent can do most of what makes the installable agent, at least with respect to authentication and posture.
Check the role assigned to your user as part of the management of devices-> own access and see what is required for this role.
Hope this helps
-
There is a problem that is coming with the customers, sometimes on some of the connection start screen customer Cisco NAC Agent is not displayed on the login screen for some of the newly added machines. Are there special requirements for cisco Agent on the client machines.
Concerning
Waqas
Waqas,
No specific requirement, except that they be on the list of the OS supported. For example server OSs don't are not so supported if you were trying to install/run on a Server 2003 or 2008, which will not work.
HTH,
Faisal
-
difference between cisco NAC agent and cisco Clean Access Agent
Hi all
If anyone has the idea on different between cisco NAC agent and cisco Clean Access Agent, please let us know your ideas.
Thank you
In 4.6, the agent has been revised and is now called the NAC agent. Previous versions were called the clean access Agent. So roughly, 4.5 and 4.1.3.2 agent are own access agents, and agents 4.6.x and 4.7.x are called NAC agents.
Some of the changes are moving a lot of the agent configuration in an XML file, redesign of the GUI, adding a service portion (of the sort that the agent of heel is no longer necessary) and the best journaling agent.
-
Hello
I have some doubts if any1 can clearly it will be great. I have the deployment of gateway NAS OOB real ip in my network.
Assuming that all ports are Nac_controlled. So as soon as the client caches they are in the local network virtual auth.
now I have a cisco nac Profiler in my network which I will configure IP phones and printers.
by example, if the port of the ip phone is connected to it will be also under auth vlan.
so as soon as as ip phone gets plugged, Profiler cisco will see the profile and change the vlan auth to its vlan respective by mapping the profile and the profile of the NAC that we have mapped in the Profiler and given of the vlan in the user profile of the NAC for the ip phone.
Please correct me if I'm wrong, for the understanding of the operation. I need profile of ip phones. I am not able to connect.
It would be very useful if you can help me.
Thanks in advance.
Nitesh salvation,
the NAC has no control over the voice VLAN, then this would be defined locally on each switch ports.
For example, you assign it not the point endpoint IP Phone profiled in any role, because the input is 'ignored' and the phone works on the configured locally voice VLAN without going through the NAC.
The IP phone case is different from that of printers and ATM... as in this case, these devices are looking at VIRTUAL local network access (which is commissioned by the NAC), and you do not expect to see all other devices (MAC addresses) on the same port of a printer, ATM or other endpoints without an agent. That being said, you can assign profiles different points of endpoints to different roles in this case.
I hope that answers your questions.
Kind regards
Federico
-
Cisco Nac 3310 to level 4.1.6 to 4.7.2
Hello
I need to upgrade the environment of the NAC 4.1.6 version 4.7.2 version.
This is the scenario.
2 CAM
2 CASES
the platform of 3310 in HA pairs.
On Cisco's Web site, I found that it is possible through this upgrade to 4.7.2: 4.1.6--> 4.1.8--> 4.5.1--> 4.7.2. I think the direct 4.1.6--> 4.5.1 upgrade is possible. Can you confirm that?
Well, I have a few questions about this upgrade.
(1) if the operation fails, is there any restore task to do? Reinstall the CAM/CASES and restore the backup or what?
(2) can you tell me the time for 4.1.8--> 4.5.1 upgrade?
(3) the downtime for the upgrade 4.5.1--> 4.7.2?
Thank you for the support!
Leonardo,
Do first CASs. Because they are in HA, the key is to keep one of the device to pair HA always offline. So first make elementary school. Turn it off, the secondary image. Which stops and provide primary upward. Once it has control of the ip address of service, then reassemble the secondary again.
Ditto for the CAMs. Still one should be down in a pair when you do upgrades.
HTH,
Faisal
--
If you find this article useful, please note so that others can easily find the answer
-
Cisco NAC server and check active number? Would this work?
Hi all
A client has achieved a question when we introduced Cisco NAC today. They wondered, lets say, a client of Cisco NAC agent installed may be connected to the network switch. It has all valid requests and patch levels on his machine (posture validation check pass)
However, even if the customer takes the position of all the parameters, they want to know that if the host name of the client (for most Windows laptops) does not exist in their active database (this database is a database of estate number which is in a similar format or .csv) posture validation must fail.
Have you met such request like this before? Is there a function on the NAC server which checks a field against an external database as an active database?
See you soon.
Dumlu,
Currently, it is not possible. You can create controls who can check values locally, but not against external data warehouses, so for this card against your thinking, NAC would have to know all the names of workstation before hand and then check against that. It is unwieldy and very very difficult to scale.
If it's something you and your client think would be a good addition (and it sounds like a good idea) Please engage with your account team and ask them to request a feature for you.
Thank you
Faisal
-
Being trained by Cisco NAC nuts! Help!
Hi all
Getting desperate here... been trying to get the solution NAC Cisco (Cisco NAC 3310) to work, but with limited success, and the results are currently desperately randomly. I have a lot of experience with Cisco product and so far this has been the most painful :-( Here, any help would be appreciated gladly!
OK, here's the Setup: the cam and CASES are configured in mode OOB VG (Layer 2). I install everything by following the guide from Cisco (I hope) - different VLAN for the CASE, the cam and VLAN mapping, managed subnets, etc. to switch profiles configured. Yet, I get strange answers: some PCs are unable to connect to the network, even if successfully managed switch port informs the cam a new MAC is detected (varies the switch port to the vlan auth of vlan initial). I have accumulated my brain trying to figure out what's wrong, newspapers event does not indicate a lot of problems. Just to check on some uncertainties:
1. for the managed subnet IP, should I check the box "Enable subnet based Vlan change?"
2. for the subnet managed, if I put the IP address of subnet managed as the IP of the gateway? E.g. 110 VLAN (vlan not reliable) mapped to 10 VLANS (VLAN trust) which is the 10.1.10.0/24 subnet. The gateway is 10.1.10.254. So should I configure managed subnet IP/netmask as 10.1.10.254/255.255.255.0? Or choose another unused IP address from that subnet (for example 10.1.10.1)?
3. I am also the experience of the situation where to connect with success (pass the verification of the NAC etc.), I unplugged my laptop on the port managed switch and after a while connected. This time no authentication happens, but the network connectivity is broken (even if the Cisco Agent is running). Seems that the network port is placed in the VLAN Auth, yet nothing is invited to open a session. Any ideas?
W
Woon,
What policies do they install on your current user roles?
You can try allowing all TCP/UDP and fragments to see if not connect at all times.
Right-click on the agent access as well and select Properties. Make sure that there not a host of discovery, since it is an implementation of L2
You also have to note the previous post, so if others have similar problems that they will look at this thread
Thank you!
-
Cisco NAC discovered host field use OOB L3 and L2 OOB
Hi all
We are in the phase of project initiation in a huge deployment of Cisco NAC.
Customer has of 8 regional offices who will be deployed in OOB L2 mode with its own servers of NAC.
Client also As 25 small offices who will be deployed in OOB L3 mode (using the access control list) with two central servers of the NAC.
NAC agent will be deployed at the Center through Microsoft Windows Domain Services on each computer in the domain. However, users could move from a small office to a regional office occasionally.
I was wondering how we should use the Host field discovered in the XML of the Agent?
My opinion is the definition of the scope of the host of the discovery to the IP address of the central servers of the NAC. This setting will be used when the user is in a small office and when in an office regional, the NAC in mode OOB L2 server will already intercept the traffic of the user and the IP address in the host discovery field won't matter in this case?
Am I wrong?
Any help much appreciated.Dumlu
Hi Dumlu,
If your concern relates to users of L2, then this will work regardless of the address of the configured host discovery.
This is the case, the Agent will try the host address configured discovered on top of the default gateway address.
In L2, the NAC server is between the host and the default gateway, so the L2 discovery process will still work.
Consider that for users of L3, the discovery packet sent to the discovered host address just reach the server of the ANC, no matter if so the agent can reach this address; the point is to ensure that the NAC server receives this package in order to meet with the NAC server specific info.
I hope that answers your question.
Kind regards
Federico
--
If this answers your question please mark the question as "answered" and write it down, so other users can easily find it.
-
Cedric_L: when click search on google web, firefox error and disappear
Then, click search the web from google or yahoo web, firefox error and disappear
Operating system
Window xp sp2
I tried to boot into 'Safe Mode '. A problem still occur.
Here it is the Crash reportID: 365947b6-2839-4689-be38-1a3c32100604
Signature: @0 x 0 | @0x10b42bc5 | BaseThreadStart -
Order SSL VPN with Cisco Cloud Web Security
We have implemented Cisco Cloud Web Security with the connector of the ASA and transfer all traffic port 80 and 443 to the Tower of the CCW. We have enabled HTTPS inspection, and I was wondering if there was anything, we can add in the configuration that would allow us to control (allow/block) SSL VPN?
#Clientless SSL VPN is not supported with Cloud Security Web; don't forget to exempt all SSL VPN traffic without client service ASA for Cloud Web Security Strategy.
Reference: http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/gu...
-
Original title - Outlook Live
Or direct or Outlook appear on win 7 list of default programs, so I am unable to use the "email us" on some sites Web, the error message is ' no e-mail program associated to this "" go to default programs and associate. Even though I have a Live (and Outlook account, they are not listed by default in the programs. I can send and receive emails in 'Live' and prospects, but cannot associate, because they are not displayed. I don't have MS Office. I use the email from Comcast, but also does not appear. Absence of a response, does anyone know how to make the "no e-mail program associated to this" work?
Hi Michael,
Please answer this question to get more clarity on this issue.
You have installed Windows Live Mail email client?
This problem may occur if Windows Live Mail or Microsoft Outlook is not installed on the computer.
If you don't have Windows Live Mail, you can download and install Windows Live Essentials to check the status.
You can download Windows Live Essentials here: http://www.microsoft.com/en-us/download/details.aspx?id=3945
Reference article.
Windows Essentials: http://windows.microsoft.com/en-us/windows-live/windows-essentials-help#v1h=tab4
Response with the State of the question and we will be happy to offer you our help.
-
Cisco NAC appliance - after a success does not change users to connect to the vlan propper
Hello
I am new to cisco NAC BURNERS and I have to troubleshoot an implementation. It is a real OOB IP gateway configuration. Users can connect to the Pentecost the CCA, but after the connection of this success, they remain on the role not authenticated, as well as on this vlan. I checked the SNMP protocol and seems to work very well. Also, I checked the logs on nac_manager.log and there is nothing surprising, in fact I see nothing about this user or IP address that connects.
Also the user does not appear on the list of users online on cam.
Can someone help me figure out how can I fix? version 4.8, I'll post any information requested
Thank you
We recently had the problem with Windows AD SSO and Windows 7 clients.
Would authenticate the XP clients very well, however, Windows 7 clients would not authenticate and will remain just on the authenticated vlan.
Our question was looking for CASE SSO account, we installed on AD. It only support the encryption, WHICH has no Windows 7 64. We turned off "Use OF THE encryption" on the account authentication UNIQUE AD and re-tested.
What are the parameters of the port-profile to which is applied the switchport?
What is the map settings vlan ports trunk not approved or confidence?
-
RV042 Cisco Protectlink Web Protection
Nice day
We have implemented Cisco Protectlink Web Protection on our network.
By choosing the categories we want to block all worked well, until we noticed that when users try to browse social networking sites
as www.facebook.com this site is blocked, but when users type https://www.facebook.com users who go directly to facebook.
and also with youtube if they add https:// users can then bypass our network block.
A bit is a bug on the blocking of Protectlink categories?...
Hoping for your immediate answer.
Thank you.
JP Mendoza
You might consider ASA5505 or IOS routers.
Maybe you are looking for
-
I have $15.24 in my iTunes account, but when I try two download iMovie says insignificant funds.
I bought my code $15 yesterday and it won't let me buy iMovie.
-
Can I update or update Office 2008?
Can I update or update Office 2008?
-
At the start of my gateway gt5438 running windows vista pak1 error - happens every time
Poster - error loading C:\progra~1\mywebs~1\bar\4.bin\m3plugin.dll. The specified module could not be found In addition he always tells me an update that is available for service pak2 I do the ServicePak2 update and everything goes well until the end
-
What product is to replace the 15454-OSCM EOS
http://www.Cisco.com/c/en/us/products/collateral/optical-networking/ons-... 15454-OSCM is end of sale. But I have not found all the devices to replace it. Need help. Thank you
-
Latest firmware SA540 I can't solve wat is probably a stupid question. I am trying to configure a vpn but when I click on 'Add' it doesn´t show nothing below Yes, I restart my device Yes, I do a power cycle Yes, it has the latest firmware